The invention relates to establishing and maintaining security access policies for enterprise resources. Historically, a trade-off exists between user function and system security. More system functionality often means lower levels of security. As feature set expanded, the overhead of administration and enforcement of security policy within the application has grown an exponentially. Additionally, the Internet has allowed commercial users to directly interact with customers. The overhead associated with maintaining permissions for individual users and customers has become a serious constraint upon the ability of companies to grow.
Access control decision began as a simple list of “named users” for each resource under management. When a user wanted to invoke a function, his identity was checked against the access control list (ACL) for that function. If the user was not on the list, the user's access would be denied. For very small user populations this was an acceptable way to do business. As system functionality and user community sizes began to increase, however, this proved to be a severely constrained architecture. It is not unusual to find single applications with 20 or more ACL's, each having hundreds to thousands of entries.
Next, access management began to form and utilize user groups. The concept is relatively simple—each user is “enrolled” in one or more groups, and the ACL's were reconfigured to grant access to groups as well as named users. This solution reduced the overhead of adding a new user to the environment, as adding a user to a group had the net effect of adding him dynamically to the ACL of all resources granting that group permissions. Unfortunately, it created some major problems that did not solve the inadequacies of the “named user” model.
Permissions, once granted to a user or group, were static. If the security policy for a resource was modified, every ACL and Group associated with the resource had to be reviewed and redefined to ensure that only those who met the current criteria for use were permitted access. In this situation, the list of users impacted could number in the tens of thousands.
Access controls have also been abstracted through several levels. The administration has been often split into multiple areas of responsibility. For example, ACL administration was generally performed by development groups responsible for the applications, while group administration typically under control of Information Security. This solution provides was an extremely convoluted process to track user access to an individual resource. Generally it is simpler to grant a user access to a new group each time he changes jobs rather than to determine the user's current permissions and modify these permissions based on his new position.
While official policies may exist as to who should be granted access, interpretation and enforcement are typically inconsistent. Users are assigned to groups by people who traditionally are overworked and understaffed. Additionally, as membership in an ACL or group is statically granted, systems cannot easily handle access control decisions based on dynamic data such as time, location, employee status, etc. Thus, most enterprises and their users suffer as a result.
One particular recent prior art solution offers an extremely broad computer based rules management system. The solution makes a decision on a proposed action of a system component without defining the component as an application. However, there exists a need for the accessing entity to be a user requesting access to a physical space, such as a building, computer room, etc.